Trust low in state's security system

Turning protection over to private firm suggested

Dec. 4, 2012

State Law Enforcement Division Chief Mark Keel, left, South Carolina Department of Revenue Director James Etter, Michael Williams of the United States Secret Service, Inspector General Patrick Maley and Marshall Heilman of Mandiant, right, make an annoucement that there was a security breach in Department of Revenue information. Friday, October 26, 2012 / Heidi Heilbrunn/Staff

Written by

Capital Bureau

COLUMBIA — The massive data breach of the state Revenue Department has not only cost the state almost $20 million but also, officials say, eroded the confidence of citizens in their government.

So a key legislative leader in the effort to rebuild the state’s cyber security and restore that confidence wants the Legislature to consider turning to the private sector for help, he told GreenvilleOnline.com.

Sen. Kevin Bryant, co-chairman of a Senate finance subcommittee investigating the hacking, said in an interview that he hasn’t decided what form the state’s new cyber security system should take, but that he believes the General Assembly should explore the idea of the private computer security firms taking part.

“I think the private sector adjusts very quickly,” he said. “Government seems to work too slow and in this case we have technology that changes by the second.”

Bryant said he isn’t against forming an in-house security agency but he wants to look at other options.

“I just have the concern that government tends to react to problems rather than proactively prevent problems,” he said.

The lack of confidence in the state’s ability to protect residents’ data is evident even within state government and even within the fraternity of computer system managers who run the systems.

State Inspector General Patrick Maley said his investigation into the hacking shows that many state agency chief information officers, the officials who run agency computer networks, believe the state’s cyber security posture is poor.

Maley is recommending that the state create a cyber security program, establish the position of chief information security officer, create an entity to accept responsibility for the security program and the authority to create policies. The report also recommends the hiring of a private consultant to help the state craft a security program and implement it.

The September breach exposed 3.8 million Social Security numbers, 3.3 million checking account numbers and information belonging to nearly 700,000 businesses. Since then, credit-monitoring services have been offered free to individual taxpayers and businesses, the Department of Revenue’s director has submitted his resignation, and the agency has begun encrypting all of its data.

(Page 2 of 2)

Maley was asked by Gov. Nikki Haley to review cyber security at all state agencies. She has said she expects the state to hire a consultant to help build a statewide plan.

About 100 agencies, commissions, boards, colleges and universities operate computers in state government but there is no centralized control of their security and operations.

As part of his investigation, Maley interviewed 18 chief information officers.

On a scale of one to five, with five being the high and one being very low, 15 of 18 information officers rated statewide information security as either low or very low. Their rating averaged 1.7.

Eight of the officers rated their own agencies’ capabilities as low or very low, according to Maley’s investigation.

Another eight rated the threat level of a breach as high.

He said one information security officer said cyber security is less than adequate statewide.

“There are many instances where agencies have a false sense of security by having a policy covering a vulnerability, yet their procedures to implement the policy don’t work,” Maley quoted the officer as saying.

An information officer “with unique access to related state agencies” rated state cyber security “as 2 on a good day,” Maley said.

He said small agencies have challenges with expertise and resources in cyber security.

Maley said agencies have in place the software and hardware to control access to their networks and data as well as battle viruses and malware.

“However, many agencies have technical obstacles to overcome, such as aging, legacy applications and hardware that do not support necessary information security measures,” Maley said.

The information officers also cited a lack of employee awareness training and developing a culture of security as problems.

Mandiant, a private cyber security firm hired by the Revenue Department to investigate its breach and recommend solutions, said the agency’s breach likely was caused by a hacker tricking an employee into opening an email, releasing malware that copied the employee’s credentials, which the hacker used to gain entry to the system.

Jim Etter, the outgoing revenue director, has said the agency went almost a year without a cyber security officer because the salary being offered wasn’t competitive with the private sector.